>If they compromised any systems, it was the mail server because it is >the only one that resides on a DMZ. I am concerned as it was scanned >over 12 times from the same IP address in the course of a day according >to the PIX syslog server files.
The plot thickens... Your firewall detected that someone scanner your mailserver 12 times in one day, and you are confident that your firewall did nothing to prevent the hacker from breaking in to your mailserver -- but you are also confident that the firewall positively prevented the hacker from breaking into any other servers? Or was the mailserver the only one that was port scanned? >Unfortunately, none of the logs was indicative of a non-company computer >"being treated as local." The logs were not indicative of any company >accounts being used for spam transmission. It is almost as if the SMTP >authentication was not working and allowing mail relay while the "No >Mail Relay" option was turned on. Do the logs show the E-mail being sent out? If no, then you should check non-IMail programs on the server (IE hacked IIS). If yes, then you should know why IMail allowed the E-mail to be sent out (was the spam sent to local users? was the IP address they came from a local IP? could IMail have been set to an open relay setting, then changed to a closed relay setting, but the SMTP service wasn't stopped/restarted? >In earlier e-mails, a log from Wednesday the 9th showed any and >everybody going through it despite the settings. On the 11th I got an >e-mail from spamcop.net and UU Net stating that my server was being used >as open relay. > >I looked at the logs to see that they were right. I then checked the >SMTP security settings to find "No Mail Relay" enabled. >I then rebooted the server, loaded some more windows updated packages >etc., and reapplied the 7.13 I-Mail program. > >Upon reboot, the logs were indicative of non-local users being bounced. http://dsbl.org/message.php?id=2297180 shows that you got listed in DSBL for exactly that reason -- outgoing mail was allowed without having to resort to sniffing passwords or IP spoofing or anything like that. So I'm guessing that the settings were changed to "Yes Mail Relay" (or whatever that setting is called), the service was stopped/restarted or rebooted. Then, the setting was changed back to "No Mail Relay", but the SMTP service was never stopped/restarted. >Based on that my conclusion is that the SMTP security had hung for a >couple of days when we moved the IMail box from a public IP to a DMZ. >This is because once the server was moved to the DMZ we turned open >relay on to test the initial sending etc. Once that was satisfied, I am >positive that we re-selected No Mail Relay. Bingo -- that would be it. It would be nice if IMail would allow changes on-the-fly, or at least show the setting that is currently being used. :) >However, because we all know that POP authentication is transmitted in >clear text then what I am asking for in a later release is SSL >encryption support for Eudora, and the Microsilly clients. This is to >further thwart the possibility of a clear text password being sniffed. That would be a good idea. On the other hand, until IMail's web SSL implementation is no longer flaky, it might not be a good idea. POP3 connections often occur once a minute ("I'll get my mail REALLY fast that way!!!"), which may end up causing a heavier SSL load than web messaging. What I would recommend is using stunnel ( http://www.stunnel.org ), which will let you set up secure POP3 on the IMail server (using IMail's POP3 server). On the other hand, I've never heard of a spammer bothering to sniff passwords. Some of the most notorious spammers certainly do break into computers (thousands of 'em), but usually only to send spam. Why bother breaking into a computer to sniff passwords if you can break into a computer and just send the spam directly from it? -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
